Mega's Security Appears To Be Surprisingly Bad

from the trial-by-fire dept

We were a little skeptical of Kim Dotcom's new Mega cloud storage offering, in part because the claims of security and privacy seemed somewhat dubious upfront. We didn't see how it would be reasonably possible to do everything the service claimed it was doing in a manner that really kept the data secret. And, indeed, it has not taken long for security researchers around the globe to raise questions. Right away there were significant questions about the security design choices, including some questions about how random the random key generation really was, as well as significant concerns about Mega's claims that it offered deduplification (if things were really encrypted correctly, there would be nothing to deduplicate).

While Mega has responded to some of those criticisms, a whole host of other security questions have been raised, leading cryptographer Nadim Kobeissi to tell Forbes: "Quite frankly it felt like I had coded this in 2011 while drunk." A big part of the problem is that, by doing everything in the browser, you're really still trusting Mega, even as Mega implies that you have full control over the encryption.

And, then comes the news that when you first sign up, while Mega hashes your password, it sends you an email that includes the hash in plain text along with other data, such that one hacker has already released a tool to extract passwords from Mega's confirmation emails:

Steve "Sc00bz" Thomas, the researcher who uncovered the weakness, has released a program called MegaCracker that can extract passwords from the link contained in confirmation e-mails. Mega e-mails a link to all new users and requires that they click on it before they can use the cloud-based storage system, which boasts a long roster of encryption and security protections. Security professionals have long considered it taboo to send passwords in either plaintext or as cryptographic hashes in e-mails because of the ease attackers have in intercepting unencrypted messages sent over Internet.

Despite that admonishment, the link included in Mega confirmation e-mails contains not only a hash of the password, but it also includes other sensitive data, such as the encrypted master key used to decrypt the files stored in the account. MegaCracker works by isolating the AES-hashed password embedded in the link and attempting to guess the plaintext that was used to generate it.

Users still need to crack the hashed password, but that's a relatively easy brute force effort, especially for those who use weaker passwords (i.e., most people). There are, of course, much more secure ways of handling this, such as not including the plain text hash in the email.

All that said, many of these problems can be fixed, but when your whole pitch to the public is about how secure and private you are -- and some have been falsely implying that such a system allows individuals to avoid copyright infringement claims -- it seems reasonable to suggest that better security should be in place from the beginning.